Wednesday, April 26, 2017

Data Privacy in a "Leaky" World: A Regulatory Update for our EU and Canadian Clients

Property management depends on having both fluid and timely access to data – whether for payments and arrears, maintenance work, moves, and a host of other events that take place in a building or for pertinent resident information. At the same time, data privacy regulations and expectations call for limits on access to personal data to keep it protected.

Integrity and trust are at the core of BuildingLink. We are dedicated to ensuring that the right data gets to the right people at the right time, and we are taking every measure possible to ensure our clients’ personal data and privacy is protected. With BuildingLink’s growing worldwide presence, we’ve seen an increased emphasis – both market-driven and regulatory – on ensuring client data protection and data access controls.

While everyone is entitled to an expectation that their personal data is protected, property managers of buildings located in the EU and Canada have an extra bar to clear regarding what they do with, and where they put, their residents’ data. This update is aimed at advising all clients, and especially EU and Canadian clients, how BuildingLink helps them meet that bar.

'Layering on' BuildingLink Data Protections

We’ve built (and continue to improve) our platform with your privacy in mind, by creating multiple “layers” of customizable options for crafting data access, use, and privacy rules that work for your property. At the lowest level, the platform provides controls for physical access to the BuildingLink site and data. All users are limited to logging in only to specific computers in specific physical locations via our “authorized computers” module. At a more micro level, you can set up niche, customized data access permissions for owners, managers, renters, and employees, according to what they need to perform their functions. For example, elevator operators could be given one level of access, while maintenance workers could be given another, according to the situation requirements. 

BuildingLink screen options enable contact functions without revealing contact information. In this way, it is possible to email a resident without divulging their email address, or call a resident without disclosing their phone number or other personal information. For further data protection, you can set up a system that flags data access and changes. It is possible to track the disclosure and integrity of data by enabling notifications upon access to, or modification of, data. (One possibility is setting up the system to send out an email to residents when any of their personal data is modified!)

Taking Your Software to Europe? Don't Forget Your "Privacy Shield"!

Maintaining balance to the extent that satisfies international data transfers across the Atlantic also requires an understanding of the law and what being compliant entails. It’s important to be up-to-date on data privacy because some major changes have just come into effect. The EU – U.S, Privacy Shield replaced Safe Harbor as the standard for sanctioned transfers of personal data between the European Union and the United States.

A Really Brief History Lesson: The Rise and Demise of Safe Harbor

From 2000 to 2015, the Safe Harbor Agreement governed the legal transfer of personal data from EU member countries to the United States. However, concerns about U.S. government surveillance programs – and the way social media companies transferred personal data across the Atlantic – brought the program’s effect into question. 

These concerns were at the center of a suit brought by an Austrian Facebook user, Max Schrems, that was referred by the Irish High Court to the European Court of Justice (ECJ) in June 2015 (case number: C-362/14). He argued that the United States does not provide “adequate protection”, and that U.S. surveillance programs like the NSA’s PRISM run counter to individual data protection. 

The court agreed with the plaintiff, and invalidated the Safe Harbor Agreement. 

Privacy Shield to the Rescue

In February 2016, the EU Commission announced the new framework called EU-U.S. Privacy Shield, and released the requirements for its certification. As of August 1, 2016, American companies could certify themselves as compliant.

Privacy Shield is a new program that provides a framework for the transfer of data from the European Union to the United States. (It replaces the recently invalidated Safe Harbor Principles.) There are several guidelines that a company must adhere to and include in their privacy policy in order to be certified under this shield. The goal is to safeguard private user information, and prevent the unauthorized dissemination of data. While certification under the EU–U.S. Privacy Shield is voluntary, once a company does certify, those guidelines are enforceable by law. This assures EU users that their personal information will be safe and secure in any data transfer to a certified U.S. company.

What's the Same and What’s Different about “Privacy Shield”?

Though it’s a new program, the core of Privacy Shield is the same as that of Safe Harbor. Both were established as a self-certification program based on seven primary principles for legal data transfers: (1) notice, (2) choice, (3) accountability for onward transfer, (4) security, (5) data integrity & purpose limitation, (6) access, and (7) recourse. However, in light of Safe Harbor’s shortcomings, there are additional avenues for enforcement, including notice, opt-out options, reviews, an independent ombudsman, and EU citizens’ enhanced redress options.

Accordingly, any business that aspires to certification must publicize its data management policy on its site, and then conform to it in its day-to-day practices. This doesn’t mean that it is etched in stone forever! The company can make changes, so long as it notifies the people whose data it collects in advance. If it fails to provide that notice, the FTC can take it to task. Along with the notice about its practices, the company has to provide a way for people to opt-out if they are not comfortable with the way their data is to be handled. 

Additional enforcement comes through the new supervision mechanism that stipulates compliance reviews by the U.S. Department of Commerce. The consequences for not being found in compliance could extend from sanctions by the FTC to removal from the list of Privacy Shield approved businesses. Another external check on compliance comes in the form of a new privacy ombudsman, who can hear complaints and queries from EU citizens. This is an important component of the program. It promises that Europeans will have different channels for communicating their concerns about their data usages. 

BuildingLink is proud to say that we fully live up to the Privacy Shield principles, and are listed among the certified Privacy Shield entities.

Heading North of the border? Say hello to PIPEDA!

Canada has its own set of regulations governing data privacy requirements. The Personal Information Protection and Electronic Documents Act (PIPEDA or the PIPED Act) governs how private sector organizations collect, use, and disclose personal information in the course of commercial business. In the real estate property management space, this has implications for both property managers and software products aimed at those managers. As one example, BuildingLink has added a series of data-aging filters to restrict access to resident activity data that is older than 30 days. The good news is, you don't have to be Canadian to take advantage of our data-aging filters. – They are an option for all BuildingLink clients!

The Data-Privacy BOTTOM LINE: What is Expected of You

Being compliant really boils down to this: be clear about what personal data comes through your system – and how you are using it – so that people fully understand, and cannot later say they didn’t realize that their data was being collected. Keep up the code of conduct you set! If you have to deviate due to some change in your business operations, provide people with clear notice, so they may choose to opt-out.

The above – and additional options – are all available on BuildingLink’s flexible platform, which allows the site manager to make sure that all data access and data use is purpose-built. Our BuildingLink team is happy to work with you to deliver a solution that is optimized to achieve your preferred balance of convenience and security. Contact us at to learn more.

No comments:

Post a Comment